KeyForge: Non-Attributable Email from Forward-Forgeable Signatures

Email breaches are commonplace, and they expose a wealth of personal, business, and political data whose release may have devastating consequences. Such damage is compounded by email’s strong attributability: today, any attacker who gains access to your email can easily prove to others that the stolen messages are authentic, a property arising from a necessary anti-spam/anti-spoofing protocol called DKIM. This greatly increases attackers’ capacity to do harm by selling the stolen information to third parties, blackmail, or publicly releasing intimate or sensitive messages — all with built-in cryptographic proof of authenticity. This paper introduces non-attributable email, which guarantees that a wide class of adversaries are unable to convince discerning third parties of the authenticity of stolen emails. We formally define non-attributability, and present two system proposals — KeyForge and TimeForge — that provably achieve non-attributability while maintaining the important spam/spoofing protections currently provided by DKIM. Finally, we implement both and evaluate their speed and bandwidth performance overhead. We demonstrate the practicality of KeyForge, which achieves reasonable verification overhead while signing faster and requiring 42% less bandwidth per message than DKIM’s RSA-2048.

[1]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[2]  Nikita Borisov,et al.  Off-the-record communication, or, why not to use PGP , 2004, WPES '04.

[3]  Moni Naor,et al.  Deniable Ring Authentication , 2002, CRYPTO.

[4]  Rosario Gennaro,et al.  New Approaches for Deniable Authentication , 2005, CCS '05.

[5]  Ian Goldberg,et al.  Improved Strongly Deniable Authenticated Key Exchanges for Secure Messaging , 2018, Proc. Priv. Enhancing Technol..

[6]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[7]  Johannes A. Buchmann,et al.  XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions , 2011, IACR Cryptol. ePrint Arch..

[8]  Francisco Rodríguez-Henríquez,et al.  Implementing Pairings at the 192-bit Security Level , 2012, IACR Cryptol. ePrint Arch..

[9]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[10]  Moni Naor,et al.  Concurrent zero-knowledge , 1998, STOC '98.

[11]  Steven M. Bellovin Spamming, phishing, authentication, and privacy , 2004, CACM.

[12]  John Levine A New Cryptographic Signature Method for DomainKeys Identified Mail (DKIM) , 2018, RFC.

[13]  Krzysztof Pietrzak,et al.  Simple Verifiable Delay Functions , 2018, IACR Cryptol. ePrint Arch..

[14]  Dawn Song,et al.  The TESLA Broadcast Authentication Protocol , 2002 .

[15]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[16]  Markus Jakobsson,et al.  Fractal hash sequence representation and traversal , 2002, Proceedings IEEE International Symposium on Information Theory,.

[17]  Hilda L. Fontana,et al.  Authentication Failure Reporting Using the Abuse Reporting Format , 2012, RFC.

[18]  Ronald L. Rivest,et al.  Lightweight email signatures , 2006 .

[19]  Nadarajah Asokan,et al.  Circumventing Cryptographic Deniability with Remote Attestation , 2019, Proc. Priv. Enhancing Technol..

[20]  Markus Jakobsson,et al.  Almost Optimal Hash Sequence Traversal , 2002, Financial Cryptography.

[21]  Murray S. Kucherawy,et al.  Domain-based Message Authentication, Reporting, and Conformance (DMARC) , 2015, RFC.

[22]  Markulf Kohlweiss,et al.  P-signatures and Noninteractive Anonymous Credentials , 2008, TCC.

[23]  Jonathan B. Postel Rfc821: simple mail transfer protocol , 1982 .

[24]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[25]  Dan Boneh,et al.  Verifiable Delay Functions , 2018, IACR Cryptol. ePrint Arch..

[26]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[27]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[28]  Rafail Ostrovsky,et al.  Deniable Encryption , 1997, IACR Cryptol. ePrint Arch..

[29]  S. Nakamoto,et al.  Bitcoin: A Peer-to-Peer Electronic Cash System , 2008 .

[30]  Markus Jakobsson,et al.  Designated Verifier Proofs and Their Applications , 1996, EUROCRYPT.

[31]  Dave Crocker,et al.  Internet Mail Architecture , 2009, RFC.

[32]  Jens Groth,et al.  On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[33]  Michael Thomas Requirements for a DomainKeys Identified Mail (DKIM) Signing Practices Protocol , 2007, RFC.

[34]  David L. Mills,et al.  Internet Engineering Task Force (ietf) Network Time Protocol Version 4: Protocol and Algorithms Specification , 2010 .

[35]  Matthew Green,et al.  KeyForge: Mitigating Email Breaches with Forward-Forgeable Signatures , 2019, IACR Cryptol. ePrint Arch..

[36]  Abhi Shelat,et al.  Efficient Protocols for Set Membership and Range Proofs , 2008, ASIACRYPT.

[37]  Ronald L. Rivest,et al.  Lightweight Encryption for Email , 2005, SRUTI.

[38]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[39]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[40]  Ian Goldberg,et al.  Deniable Key Exchanges for Secure Messaging , 2015, CCS.

[41]  Ran Canetti,et al.  Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Transform Introduction , 2005, RFC.

[42]  Craig Gentry,et al.  Hierarchical ID-Based Cryptography , 2002, ASIACRYPT.

[43]  Yngve N. Pettersen The Transport Layer Security (TLS) Multiple Certificate Status Request Extension , 2013, RFC.

[44]  Markulf Kohlweiss,et al.  Compact E-Cash and Simulatable VRFs Revisited , 2009, Pairing.